Nagios Gotchas

So, youve just set up nagios. youve followed these links:

http://nagios.sourceforge.net/docs/3_0/quickstart-fedora.html
and
http://nagios.sourceforge.net/docs/2_0/commandfile.html

but youre still getting this error!?! Logfile looks good

It appears as though you do not have permission to view information for any of the services you requested... If you believe this is an error, check the HTTP server authentication requirements for accessing this CGI and check the authorization options in your CGI configuration file."

well theres nothing like doing what da man says. Did you perhaps not set nagiosadmin as the user in htpasswd.users ? because if you didnt, nagios wont let you view any pages like hosts/etc. so what do you do? you need to either a:

vi path/to/nagios/etc/cgi.cfg

and change the authenticated user from nagiosadmin to $username
or

htpasswd -c /path/to/nagios/etc/htpasswd.users nagiosadmin (type password)

Im kinda surprised this has been hard-coded.

if this has helped you, please leave a comment - i love feedback and i promise to post more often if i do :)

Retro!

-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GIT d--- s--:->- a C++$ UL++++$ P+@>+ L+++$ E--- W++$ N+ !o> K-? !w-- !O- M+@>+ !V- PS++>$ PE++@ Y+@ PGP+$ t()@ !5-- !X- !R-- tv b+++ DI++(++) !D---- G e h r@ x++*@
------END GEEK CODE BLOCK------

Oh and ive made comments moderated due to the huge amounts of spam. Sorry :(

Neglectful admin

Ive been neglecting this blog for a while now, i do wonder if anyone noticed?

Well, nevermind, ill just send this out to the blogosphere in the vain hope that someone may read it and find it useful/funny/weird/strange/etc

So, I was away for a fair chunk of the year, in oz due to a family issue. When most British have a 'family issue' its something that can be dealt with OOH, but not this little ex-pat chicken. Lots of midnight phonecalls followed by 2 trips out to Oz, and a fair amount of desperately-trying-to-catch-up-with-work/colleagues-while-hopelessly-out-of-timezone-jetlag-ugh! Also the trusty laptop packed up around 2 weeks in, meaning a call to Dell oz for new memory (supplied direct to hospital room!), keyboard ( flat out denied!) and HDD meant i quickly found myself getting very familiar with Ubuntu very quickly. As usual, Ubuntu (9) didnt disappoint, working straight out of the box, and to the delight of my employers, back up and running in no time. The only downside, and the reason i didnt keep it on there, is th VMware Vsphere client, which is next to impossible to import into Wine unless youre unemployed and got lots of time on your hands - something i wasnt wildly enthusiastic about. For security reasons we dont enable to web client, so at the moment, Windows on the laptop is a bit of a necessity. Ho Hum. At least my Hardy Heron work PC running dual monitors (oh the configuration hell! maybe i should post it here sometime ) is the last and only remaining Linux Box on the Office PC network.

Speaking of office networks.... we are moving our Linux/corp network far far far away from anything resembling a windows machine...The solution of this of course is a Bastion network, meaning all servers are firewalled away from everything else, and only what is necessary is actually punched through the firewall to the corresponding machines IP. Iptables are a good second layer of security here too. In specifying all the rules i have had to refresh my knowledge of each machine exactly what its running and what its not supposed to be running, which means the wiki also benefits whereas a documentation task on its own would have been rather tedious and boring.

Of course the real proof in the puds is when i decide to 'flip the switch' or rather change the IP's over and watch everything break in a rather spectacular fashion, but im sure that wont happen because i am made of WIN right???

Production infrastructure continues apace... we have a lovely set of puppet configs now and everything is just so *easy*, except if your search domains in resolv.conf are broken of course and puppet cant resolve and therefore cannot roll-back and then theres hateful manual configuration, but thankfully a) it wasnt me! and b) only a small pool of machines. It does make me wonder though about the wisdom of managing DNS through puppet and whether or not i would be shooting myself in the foot? Prace bets now...

Oh i got a new phone - HTC Desire of course, but kind of disappointed that it doesnt have pure IPSec VPN OOTB , which kind of rules out me using it as a work phone, so i guess we will stick with the BB's for now - theyre not too bad, but i do hate lugging 2 phones everywhere. The only option is rooting my phone, but given the hell i had to go through with T-mobile to get it, only to brick it, i think i would rather poke my eyes out with rusty chainsaws, kthx.

Anyway i promise to update more, thanks for listening.

interesting...

Yes ive been bad, ive not posted. slap me.

but thought this might be of interest to you lot

http://httpd.apache.org/docs/2.2/mod/mod_proxy_balancer.html

seems you can now load balance within apache with the added feature of sticky sessions.

ARGGH!

IDIOTS!

everywhere! on the internet!

puppet iptables module

i now have a working copy of iptables puppet module.


I used the following recipe :

http://reductivelabs.com/trac/puppet/wiki/Recipes/ModuleIptables

however, it did require a little tweaking, so probably worth documenting here.

Firstly, we use SVN to add or edit our puppet config, so i needed to add the above files:

/puppet/modules/iptables/files/fragments/default.pp
/puppet/modules/iptables/files/rebuild-iptables
/puppet/modules/iptables/manifests/init.pp

and edit the file
/puppet/manifests/nodes.pp

( i didnt add a seperate class for this, due to the way out environment is structured)

So firstly, default.pp i want to contain the iptables i want to install on a specific punch of servers.

for example:

-A INPUT -j SUL
-A FORWARD -j SUL
-A SUL -i lo -j ACCEPT
-A SUL -i eth0 -j ACCEPT
-A SUL -p icmp --icmp-type any -j ACCEPT
-A SUL -p 50 -j ACCEPT
-A SUL -p 51 -j ACCEPT

I should note that i dont include the SVN headers in this file, because it can intefere with the iptables rebuild script.

So ive checked this into svn, so all good there.

Next, i need to check in rebuild_iptables. Also if you reference your rules in a different way ( eg - A-REDHAT-FIREWALL, or similar ) you will need to edit the script before you check it in.

Thirdly, here is my nodes.pp, which for each server i want to load these rules, i reference the fragment i want to apply to that server:

node 'foo.example.com' inherits foonode {
include iptables
ipt_fragment {"default" : ensure => present }
}

As iptables is a module, you just need to include it. Then you need to reference the fragment.

Lastly, a bit of a gotcha. You need to set the mode of rebuild_iptables in the iptables init.pp otherwise it is not executeable.

file {
"/etc/iptables.d":
ensure => directory,
purge => true,
notify => Exec["rebuild_iptables"];
"/usr/sbin/rebuild-iptables":
mode => "755",
source => "puppet://puppet/iptables/rebuild-iptables";
}


check into svn, run svn-puppet on the server so it has the latest config.

Then on the client, run puppetd --test , or in debug if you prefer.

Please let me know if you find this helpful, or have any other comments.